Varun Sharma

Where job fails if there is call to endpoints not in the allowed list. https://github.com/step-security/harden-runner/issues/61#issuecomment-1020689295

https://github.com/jauderho/dockerfiles/runs/4929417948?check_suite_focus=true#step:3:9 https://github.com/step-security/harden-runner/issues/61#issuecomment-1020662748

https://github.com/step-security/harden-runner/issues/61#issuecomment-1019030597

Fix token permissions for 100 critical open-source projects

7

This issue is to track progress on adding GitHub token permissions to workflows for critical open source projects. OSSF has a working group to identify critical projects and calculate criticality...

List of PRs: ### Critical open source projects As per: https://github.com/ossf/wg-securing-critical-projects 1-10 - [x] https://github.com/ampproject/amphtml/pull/38019 - [x] https://github.com/ant-design/ant-design/pull/34946 - [x] https://github.com/caolan/async/pull/1829 - [x] https://github.com/babel/babel/pull/14539 - [x] https://github.com/apache/commons-codec/pull/131 - [x] https://github.com/apache/commons-lang/pull/894...

Organize the project into two parts 1. Simulation of past attacks - [ ] SolarWinds (SUNPOST) - already exists - [ ] Codecov (tampering of artifact in storage account) -...

e.g. codecov breach

Improve dns exfiltration tutorial

1

- [ ] simulate exfiltration of token instead of repo (idea) - [ ] add block mode in harden-runner - [ ] add missing domain - storage.googleapis.com

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#exfiltrating-data-from-a-runner